{
  "threat_severity" : "Low",
  "public_date" : "2025-12-24T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ext4: fix bug_on in __es_tree_search caused by bad quota inode",
    "id" : "2425085",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425085"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1288",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next4: fix bug_on in __es_tree_search caused by bad quota inode\nWe got a issue as fllows:\n==================================================================\nkernel BUG at fs/ext4/extents_status.c:202!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352\nRIP: 0010:__es_tree_search.isra.0+0xb8/0xe0\nRSP: 0018:ffffc90001227900 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8\nRBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001\nR10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10\nR13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000\nFS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n<TASK>\next4_es_cache_extent+0xe2/0x210\next4_cache_extents+0xd2/0x110\next4_find_extent+0x5d5/0x8c0\next4_ext_map_blocks+0x9c/0x1d30\next4_map_blocks+0x431/0xa50\next4_getblk+0x82/0x340\next4_bread+0x14/0x110\next4_quota_read+0xf0/0x180\nv2_read_header+0x24/0x90\nv2_check_quota_file+0x2f/0xa0\ndquot_load_quota_sb+0x26c/0x760\ndquot_load_quota_inode+0xa5/0x190\next4_enable_quotas+0x14c/0x300\n__ext4_fill_super+0x31cc/0x32c0\next4_fill_super+0x115/0x2d0\nget_tree_bdev+0x1d2/0x360\next4_get_tree+0x19/0x30\nvfs_get_tree+0x26/0xe0\npath_mount+0x81d/0xfc0\ndo_mount+0x8d/0xc0\n__x64_sys_mount+0xc0/0x160\ndo_syscall_64+0x35/0x80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n</TASK>\n==================================================================\nAbove issue may happen as follows:\n-------------------------------------\next4_fill_super\next4_orphan_cleanup\next4_enable_quotas\next4_quota_enable\next4_iget --> get error inode <5>\next4_ext_check_inode --> Wrong imode makes it escape inspection\nmake_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode\ndquot_load_quota_inode\nvfs_setup_quota_inode --> check pass\ndquot_load_quota_sb\nv2_check_quota_file\nv2_read_header\next4_quota_read\next4_bread\next4_getblk\next4_map_blocks\next4_ext_map_blocks\next4_find_extent\next4_cache_extents\next4_es_cache_extent\n__es_tree_search.isra.0\next4_es_end --> Wrong extents trigger BUG_ON\nIn the above issue, s_usr_quota_inum is set to 5, but inode<5> contains\nincorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,\nthe ext4_ext_check_inode check in the ext4_iget function can be bypassed,\nfinally, the extents that are not checked trigger the BUG_ON in the\n__es_tree_search function. To solve this issue, check whether the inode is\nbad_inode in vfs_setup_quota_inode()." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3138",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2394",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-427.13.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50782\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50782\nhttps://lore.kernel.org/linux-cve-announce/2025122402-CVE-2022-50782-d849@gregkh/T" ],
  "name" : "CVE-2022-50782",
  "csaw" : false
}